Skip to content

Federal Agencies Need to Implement Recommendations to Manage Supply Chain Risks

Testimony before the Subcommittees on Investigations and Oversight and Research and Technology, Committee on Science, Space and Technology, House of Representatives

Vijay A. D'Souza, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO)

25 May 2021


Select excerpt from June 2021: SHIELDWatch Newsletter

In testimony to the U.S. House of Representatives, the GAO Director for Information Technology and Cybersecurity identified a series of previous findings on vulnerabilities to the U.S. federal government’s Information & Communications Technology (ICT) supply chain, recommendations, and agency compliance status and impact for 23 federal agencies. Among the industries and technologies noted as having supply chains vulnerable to cyber-attack were pipelines, bulk energy, avionics, and 5G. Additionally, the GAO plans to release a detailed report evaluating federal agencies’ response to SolarWinds in fall 2021.

The exploitation of ICT products and services through the supply chain is an emerging threat. ICT supply chain-related threats can be introduced in the manufacturing, assembly, and distribution of hardware, software, and services. Moreover, these threats can appear at each phase of the system development life cycle, when an agency initiates, develops, implements, maintains, and disposes of an information system. As a result, the compromise of an agency’s ICT supply chain can degrade the confidentiality, integrity, and availability of its critical and sensitive networks, IT-enabled equipment, and data.

Over the past several years, Congress and federal agencies have taken a number of steps aimed at mitigating ICT supply chain risks. Despite these measures, we have previously reported that federal agencies have not effectively managed supply chain risks.

Few Federal Agencies Implemented Foundational Practices for Managing ICT Supply Chain Risks

The recent compromise of SolarWinds highlights the significance of threats to the ICT supply chain. In December 2020, we reported on the 23 civilian agencies’ implementation of foundational practices for managing ICT supply chain risks. In that report, we identified and selected the seven practices from NIST’s guidance that are considered foundational for an organization-wide approach to ICT SCRM. These selected foundational practices are:

  • Establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;
  • Developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;
  • Establishing an approach to identify and document agency ICT supply chain(s);
  • Establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;
  • Establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;
  • Developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services;
  • Developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

However, as we discussed in our report, none of the 23 agencies had fully implemented all of the supply chain risk management practices. Further, 14 of the 23 agencies had not implemented any of the practices. Figure 1 summarizes the extent of the agencies’ implementation of the practices.


As a result of not fully implementing these selected foundational practices, the agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain, causing disruptions to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.

Officials from the 23 agencies cited various factors that had limited their implementation of the selected foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance.


June 2021

Want to read more? Check out the June 2021: SHIELDWatch Newsletter

Leave a Comment